Description:
CakePHP is a RAD (Rapid Application Framework) framework for PHP which uses commonly
known design patterns like ActiveRecord, Association Data Mapping, Front Controller
and MVC. Unfortunately CakePHP is vulnerable to an arbitrary file access vulnerability
due to unsafe use of the readfile function that allows for an attacker to read any file
on the system that the webserver has read access to. This could be used to read password
files or sensitive configuration data etc. An updated version of CakePHP has been released
and users encouraged to upgrade their CakePHP installations as soon as possible.
Arbitrary File Access
CakePHP allows for developers to create dynamic content in a way similar to Ruby On Rails. One
of the files that allows for front end access to javascript for visitors is vulnerable to an
arbitrary file access vulnerability that allows an attacker to read any file on the system that
the webserver has read access to. Below is the vulnerable code from vendors.php
if (is_file('../../vendors/javascript/' . $_GET['file']) && (preg_match('/(.+)\\.js/', $_GET['file']))) {
readfile('../../vendors/javascript/' . $_GET['file']);
}
As seen above the only sanity checks made on the "file" variable are to see if it contains a *.js
file name. Of course an attacker can easily bypass this check.
http://www.example.com/js/vendors.php?file=../../../../.htpasswd%00foobar.js
Solution:
The CakePHP development team have released an updated version of CakePHP to address this issue.
Users are encouraged to upgrade their CakePHP installations as soon as possible.
Credits:
James Bercegay of the GulfTech Security Research Team
|